Akamai Diversity

The Akamai Blog

Do DDoS attacks originate from Cloud Service Providers?

In a word, yes.  

Cloud service providers (CSPs) continue to power a growing portion of the greater Internet. According to Cisco, by 2021, 73 percent of cloud workloads are going to be CSP based, which reflects a compound annual growth rate of 27.5 percent from 2016 to 2021.

Unfortunately, CSPs are vulnerable to both Account Takeover (ATO) attacks and free account trial abuses that nefarious botnets exploit to their advantage. Akamai sees in upwards of 30 DDoS attacks per day with CSPs amongst the top traffic sourced ASNs.

The reasons CSPs are gaining traction as an attack source are for the same reasons legitimate businesses look towards them for assistance - they have capacity, flexibility, and an on-demand availability. While they  are also affordable, criminals often avoid paying by taking advantage of free trials or hijacking legitimate accounts for their own use.

 

Digging in further

Akamai Prolexic customers, prospects, and third-party security analysts have frequently inquired about the effect of CSP abuses in the modern DDoS landscape. To address their questions, we set out to find a way to measure the effects.  

  1. Grab the top Source IPs seen during the first 3 minutes of an attack and do the same for the 3 minute period 10 minutes prior to the attack.

  2. From there, we sum the total bytes seen for each Source IP in each set, take the difference, and ascribe via the IP's AS (Autonomous System) to a CSP or non-CSP source.

Doing these two things allows us to remove baseline CSP traffic and measure only the attack traffic that leveraged CSPs.

CSPs account for a significant amount of DDoS traffic

CSPs only account for a small number of the AS sources Akamai Prolexic has been seeing in a given month. While we don't see many CSPs, when we do, they account for a large amount of traffic across the network, and that traffic is more likely to be involved in DDOS attacks.

In the images below, the figure on the left represents the number of ASNs that are CSPs, and the figure on the right represents the traffic observed by CSPs both before and during an active DDoS attack.

 

And these numbers don't account for indirect reflectors...

It is important to note that reflection-based DDoS attacks (DNS Reflection, NTP Reflection, CLDAP Reflection, etc.) remain popular with attackers, but in our research we only measure the attacks that were sourced from CSP IPs. Reflection attacks launched from CSPs off of poorly configured resolvers (for example, an open DNS server) on the open Internet are not accounted for here, and would surely inflate the CSP numbers.

Gaming Industry Particularly Targeted

Attack vectors targeting customers that leverage Akamai Prolexic BGP services, in particular verticals (and even geographies), are much more likely to have attack traffic originating from CSPs. For example, gaming customers see a spike in CSP-sourced traffic during attacks. As illustrated in the images below, the amount of CSP ASN sourced traffic observed before the attack were quite small but jumped significantly during the attack.

 

 

CSP Peering Isn't Without Its Risks

Customers that have peering arrangements with CPSs face a significant level DDoS exposure. While it's true customers with peering arrangements are not at a greater risk than anyone else, the fact is upstream providers and DDoS mitigation specialists, like Akamai Routed Prolexic services, are not in path to protect them creates a noticeable attack surface.

Without active monitoring, alerting, and expert threat researchers to analyze and process attack notifications, these businesses are significantly exposed, because there is no mechanism to proactively mitigate or even notify them.

In addition, blocking traffic from these AS sources is often a no go, as they can house critical infrastructure. The ephemeral nature of these DDoS or reflection-based attacks can make mitigation controls challenging to implement in a timely fashion. More active, and sometimes invasive mitigation techniques, are often necessary.

Relying on CSPs to defend against attacks emanating from their own platforms can be slow and ineffective. The contract CSPs establish with their customers is to make infrastructure available on-demand, not to police or pass judgment on the legitimacy of the applications executing, or traffic traversing across that infrastructure.

Akamai recommends that all assets, even "trusted" CSP assets, be routed through DDoS mitigation services in either an on-demand or always-on posture. The difference comes down to each customer's appetite for risk and the equation between some imposed latency and the exposure should CSP traffic be compromised and begin generating attack traffic as covered above.

Leave a comment